help: Executable file is modified when it is running.
We are doing LRT for a service program on Redhat AS4.0. After about 30
hours running, one of the shared library file was modified. The running
instance goes OK, but any attemp to start another instance of the
service results to SIG_SEGV.
We used objdump to disasmble the libary files, and found the difference between the modified file and the original one.
No difference can be found by ls. The timestamp, size, etc. of the file
are all the same.
Is there any possibility any system procedure, e.g. ld.so, could modify the
file automatically?
Thanks a lot.
The following is the diff of the disasm files.
====================================================================
2c2
< libWeMake.original.so: file format elf32-i386
---
> libWeMake.so: file format elf32-i386
8598c8598
< 4a7f: e9 10 f7 ff ff jmp 4194 <_init+0x18>
---
> 4a7f: e9 01 f7 ff ff jmp 4185 <_init+0x9>
8603c8603
< 4a8f: e9 00 f7 ff ff jmp 4194 <_init+0x18>
---
> 4a8f: e9 ac f7 ff ff jmp 4240 <strdup@plt+0xc>
8606c8606
< 4a94: ff a3 48 02 00 00 jmp *0x248(%ebx)
---
> 4a94: ff a3 48 02 99 00 jmp *0x990248(%ebx)
8608c8608
< 4a9f: e9 f0 f6 ff ff jmp 4194 <_init+0x18>
---
> 4a9f: e9 00 f6 ff ff jmp 40a4 <_init-0xd8>
8611c8611
< 4aa4: ff a3 4c 02 00 00 jmp *0x24c(%ebx)
---
> 4aa4: ff a3 4c 02 b4 00 jmp *0xb4024c(%ebx)
8613c8613
< 4aaf: e9 e0 f6 ff ff jmp 4194 <_init+0x18>
---
> 4aaf: e9 34 f6 ff ff jmp 40e8 <_init-0x94>
8758c8758
< 4c7f: e9 10 f5 ff ff jmp 4194 <_init+0x18>
---
> 4c7f: e9 00 f5 ff ff jmp 4184 <_init+0x8>
8762c8762
< 4c90: 55 push %ebp
---
> 4c90: 2f das
8766c8766
< 4c95: e8 00 00 00 00 call 4c9a <call_my_start+0xa>
---
> 4c95: e8 00 00 5a 00 call 5a4c9a <_end+0x59071a>
8768c8768
< 4c9b: 81 c3 2e f3 00 00 add $0xf32e,%ebx
---
> 4c9b: 81 c3 2e f3 00 31 add $0x3100f32e,%ebx
8770c8770
< 4ca7: 85 c0 test %eax,%eax
---
> 4ca7: 85 0f test %ecx,(%edi)
8774,8775c8774
< 4cb0: c9 leave
< 4cb1: c3 ret
---
> 4cb0: a8 c3 test $0xc3,%al
8781,8782c8780
< 4cb8: 90 nop
< 4cb9: 90 nop
---
> 4cb8: 78 90 js 4c4a
====================================================================
The related part of the original file is as following.
====================================================================
8595 00004a74 <semctl@plt>:
8596 4a74: ff a3 40 02 00 00 jmp *0x240(%ebx)
8597 4a7a: 68 68 04 00 00 push $0x468
8598 4a7f: e9 10 f7 ff ff jmp 4194 <_init+0x18>
8599
8600 00004a84 <my_sem_lock__Fi@plt>:
8601 4a84: ff a3 44 02 00 00 jmp *0x244(%ebx)
8602 4a8a: 68 70 04 00 00 push $0x470
8603 4a8f: e9 00 f7 ff ff jmp 4194 <_init+0x18>
8604
8605 00004a94 <my_write__FP6_stPci@plt>:
8606 4a94: ff a3 48 02 00 00 jmp *0x248(%ebx)
8607 4a9a: 68 78 04 00 00 push $0x478
8608 4a9f: e9 f0 f6 ff ff jmp 4194 <_init+0x18>
8609
8610 00004aa4 <my_get_key__FPcPPcPii@plt>:
8611 4aa4: ff a3 4c 02 00 00 jmp *0x24c(%ebx)
8612 4aaa: 68 80 04 00 00 push $0x480
8613 4aaf: e9 e0 f6 ff ff jmp 4194 <_init+0x18>
8614
...
8755 00004c74 <myfree__FP7myGroupPcRi@plt>:
8756 4c74: ff a3 c0 02 00 00 jmp *0x2c0(%ebx)
8757 4c7a: 68 68 05 00 00 push $0x568
8758 4c7f: e9 10 f5 ff ff jmp 4194 <_init+0x18>
8759 Disassembly of section .text:
8760
8761 00004c90 <call_gmon_start>:
8762 4c90: 55 push %ebp
8763 4c91: 89 e5 mov %esp,%ebp
8764 4c93: 53 push %ebx
8765 4c94: 50 push %eax
8766 4c95: e8 00 00 00 00 call 4c9a <call_gmon_start+0xa>
8767 4c9a: 5b pop %ebx
8768 4c9b: 81 c3 2e f3 00 00 add $0xf32e,%ebx
8769 4ca1: 8b 83 98 03 00 00 mov 0x398(%ebx),%eax
8770 4ca7: 85 c0 test %eax,%eax
8771 4ca9: 74 02 je 4cad <call_my_start+0x1d>
8772 4cab: ff d0 call *%eax
8773 4cad: 8b 5d fc mov 0xfffffffc(%ebp),%ebx
8774 4cb0: c9 leave
8775 4cb1: c3 ret
8776 4cb2: 89 f6 mov %esi,%esi
8777 4cb4: 90 nop
8778 4cb5: 90 nop
8779 4cb6: 90 nop
8780 4cb7: 90 nop
8781 4cb8: 90 nop
8782 4cb9: 90 nop
8783 4cba: 90 nop
====================================================================
|